5.8 Implementing Password Synchronization

The Password Synchronization functionality provided in Identity Manager enables you to implement several different scenarios. This section outlines basic scenarios, to help you understand how the settings in Identity Manager Password Synchronization and NMAS password policies affect the way passwords are synchronized. You can use one or more of the scenarios to meet the needs of your environment.

5.8.1 Overview of Identity Manager Relationship to NMAS

Utilities and NMAS

Utilities such as iManager and the Novell Client communicate with NMAS rather than directly updating a specific password. NMAS is the entity that determines which passwords are updated.

NMAS synchronizes passwords within an Identity Vault, based on your settings in NMAS password policies.

Legacy utilities that are not Universal Password-enabled update the NDS password directly, instead of communicating with NMAS and letting NMAS determine which passwords are updated. Be aware of how users and help desk administrators use legacy utilities in your environment. Because legacy utilities update the NDS password directly instead of going through NMAS, password drift (Universal Password and NDS password get out of sync) can occur if you are using Universal Password and NMAS 2.3.

For example, to ensure support of Universal Password, make sure that users upgrade to the Novell Client, and make sure that help desk users use ConsoleOne only with the latest Novell Client or NetWare release.

Identity Manager and NMAS

In
Scenario 1, the Identity Manager Driver for eDirectory can be used to update the NDS password directly. This scenario is basically the same as the one provided in DirXML 1.
x.

In
Scenario 2,
Scenario 3, and
Scenario 4, Identity Manager is used to update either Universal Password or Distribution Password. Identity Manager goes through NMAS to make password changes. This allows NMAS to update other Identity Vault passwords as determined by NMAS password policy settings, and allows NMAS to enforce Advanced Password Rules from NMAS password policies for passwords being synchronized with connected systems. In these scenarios, the password that Identity Manager distributes to connected systems is always the Distribution Password.

The difference between Scenario 2, Scenario 3, and Scenario 4 lies in the different combinations of NMAS password policy settings and Identity Manager Password Synchronization settings for each connected system driver.

5.8.2 Scenario 1: Using NDS Password to Synchronize between Two Identity Vaults

As in Password Synchronization 1.0, you can synchronize NDS Password between two Identity Vaults by using the eDirectory driver. This scenario does not require Universal Password to be implemented, and can be used with eDirectory 8.6.2 or later. Another name for this kind of password synchronization is synchronizing the public/private key pair.

This method should be used only to synchronize passwords from Identity Vault to Identity Vault. It does not use NMAS and therefore cannot be used to synchronize passwords to connected applications.

Advantages and Disadvantages of Scenario 1

Simple configuration. Just include the correct attributes in the driver filter.

If you are deploying Identity Manager 3.0.1 and eDirectory 8.7.3 in stages, this method can help you deploy gradually.

You don't need to add the new password synchronization policies to driver configurations.

Does not require Universal Password to be implemented in the Identity Vault.

Can be used with connected vaults running eDirectory 8.6.2 or later.

Does not require NMAS 2.3.

Enforces the basic password restrictions you can set for NDS Password.

This method synchronizes passwords between Identity Vaults. Passwords cannot be synchronized to other connected systems.

Does not update Universal Password or Distribution Password.

Because this method does not use NMAS, you can't validate passwords against Advanced Password Rules in password policies for passwords coming from another Identity Vault.

Because this method does not use NMAS, you can't reset passwords on the connected Identity Vault if the passwords don't comply with the NMAS password policy.

E-mail notifications are not provided for password synchronization failures.

Check Password Status operations from the iManager task are not supported. (Distribution Password is required for this feature.)

The following diagram shows that, as in DirXML 1.
x, the Identity Manager Driver for eDirectory can be used to synchronize the NDS password between two Identity Vaults. This scenario does not go through NMAS.

Figure 5-6 Using NDS Password to Synchronize between Two Identity Vaults

Setting Up Scenario 1

To set up this kind of password synchronization, configure the driver.

Universal Password Deployment

Not necessary.

Password Policy Configuration

None.

Password Synchronization Settings

None. The settings on the Password Synchronization page for a driver have no effect on this method of synchronizing NDS Password.

Driver Configuration

Remove the Password Synchronization policies listed in Section 5.3.4, Policies Required in the Driver Configuration. Those policies are intended to support Universal Password and Distribution Password. NDS Password is synchronized by using Public Key and Private Key attributes instead of these policies.

Make sure that the driver filter for both Identity Vault drivers is synchronizing the Public Key and Private Key attributes for all object classes for which passwords should be synchronized. The following figure shows an example.

Figure 5-7 Synchronizing the Private and Public Key Attributes

Troubleshooting Scenario 1

Turn on the DSTrace option.

Check the driver Filter to make sure the Public Key and Private Key attributes are being synchronized, not ignored.

5.8.3 Scenario 2: Synchronizing by Using Universal Password

With Identity Manager, you can synchronize a connected system password with the Universal Password in the Identity Vault.

When Universal Password is updated, the NDS Password, Distribution Password, or Simple Password can also be updated, depending on your settings in the NMAS password policy.

Any connected system can publish passwords to Identity Manager, though not all connected systems can provide the user's actual password. For example, Active Directory can publish a user's actual password to Identity Manager. Although PeopleSoft does not provide a password from the PeopleSoft system itself, it can provide an initial password created in a policy in the driver configuration, such as a password based on the user's employee ID or last name. Not all drivers can subscribe to password changes from Identity Manager. See Section 5.2, Connected System Support for Password Synchronization.

Advantages and Disadvantages of Scenario 2

Allows synchronization of passwords to and from the Identity Vault and the connected system.

Allows passwords to be validated against the NMAS password policy.

Allows e-mail notifications for failed password operations, such as when a password coming from a connected system does not comply with Password.

Supports the Check Password Status task in iManager, if Universal Password is being synchronized with Distribution Password and if the connected system supports checking passwords.

NMAS enforces the Advanced Password Rules in your password policies, if you have the rules enabled. If a password coming from a connected system does not comply, an error is generated, and an e-mail notification is sent if you have specified that option.

If you don't want password policy rules enforced, you can deselect Enable Advanced Password Rules in the NMAS password policy.

By design, resetting passwords in the connected system is not supported with this method because the Distribution Password and Universal passwords might not be the same, depending on your settings in the password policies.

Universal Password Deployment

Password Policy Configuration

Make sure that an NMAS password policy is assigned to the parts of the Identity Vault that you want to have this kind of password synchronization.

In iManager, select
Passwords >
Password Policies.

Select a policy, then click
Edit.

Browse to and select the object where you want password synchronization to occur.

You can assign the policy to the entire tree structure (by browsing to and selecting the Login Policy object in the Security container), a partition root container, a container, or a specific user. To simplify management, we recommend that you assign password policies as high in the tree as possible.

In the password policy, make sure that the following are selected:

Enable Universal Password

Synchronize NDS Password when setting Universal Password

Synchronize Distribution Password when setting Universal Password

Because Identity Manager retrieves the Distribution Password to distribute passwords to connected systems, it's important that this option be checked to allow bidirectional password synchronization.

Complete your password policy as desired.

NMAS enforces the Advanced Password Rules in your password policies, if you have the rules enabled. If you don't want password policy rules enforced, deselect
Enable the Advanced Password Rules.

If you are using Advanced Password Rules, make sure they don't conflict with the password policies on any connected systems that are subscribing to passwords.

Password Synchronization Settings

In iManager, select
Passwords >
Password Synchronization.

Search for drivers for the connected systems, then select a driver.

Create settings for the driver for the connected system.

Make sure that the following are selected:

Identity Manager accepts passwords (Publisher Channel)

A message is displayed on the page if the driver manifest does not contain a “password-publish” capability. This is to inform users that passwords cannot be retrieved from the application and can only be published by creating a password in a the driver configuration using a policy.

Application accepts passwords (Subscriber Channel)

If the connected system does not support accepting passwords, the option is dimmed.

These settings allow for bidirectional password synchronization if it is supported by the connected system.

You can adjust the settings to match your business policies for the authoritative source for passwords. For example, if a connected system should subscribe to passwords but not publish, select only
Application accepts passwords (Subscriber Channel).

Make sure that
Use Distribution Password for password synchronizationi s not checked:

In this scenario, Identity Manager updates the Universal Password directly. The Distribution Password is still used to distribute passwords to connected systems, but is updated from the Universal Password by NMAS instead of by Identity Manager.

(Optional) Select the following if desired:

Notify the user of password synchronization failure via e-mail

Keep in mind that e-mail notifications require the Internet EMail Address attribute on the eDirectory User object to be populated.

E-mail notifications are non-invasive. They do not affect the processing of the XML document that triggered the e-mail. If they fail, they are not retried unless the operation itself is retried. However, debug messages for e-mail notifications are written to the trace file.

Driver Configuration

Make sure that the required Identity Manager script password synchronization policies are included in the driver configurations for each driver that should participate in password synchronization.

Flowchart for Scenario 2

The following flowchart illustrates how NMAS handles the password it receives from Identity Manager. The password is synchronized to Universal Password in this scenario. NMAS decides how to handle the password based on the following:

What the other settings are in the password policy for synchronizing Universal Password with the other passwords.

Figure 5-9 How NMAS Handles the Password It Receives from Identity Manager

Trouble Logging in to the Identity Vault

Turn on the
+AUTH,
+DXML, and
+DVRS settings in DSTrace.

Figure 5-10 DSTrace Commands

Verify that the <
password> or <
modify-password> elements are being passed to Identity Manager. To verify that they are being passed, watch the trace screen with those options turned on.

Verify that the password is valid according to the rules of the password policy.

Check the NMAS password policy configuration and assignment. Try assigning the policy directly to a user to make sure the correct policy is being used.

On the Password Synchronization page for the driver, make sure that
DirXML accepts passwords is selected.

In the password policy, make sure that
Synchronize Distribution Password when setting Universal Password is selected.

Trouble Logging in to Another Connected System that Subscribes to Passwords

This section is for troubleshooting cases where this connected system is publishing passwords to Identity Manager, but another connected system that is subscribing to passwords does not appear to be receiving the changes from this system. Another name for this relationship is a secondary connected system, meaning that it receives passwords from the first connected system through Identity Manager.

Turn on the
+DXML and
+DVRS settings in DSTrace to see Identity Manager rule processing

Check the driver filter to make sure the nspmDistributionPassword attribute is set correctly, as explained in Step 2.

Verify that the <
password> for an Add or <
modify-password> element is being sent to the connected system. To verify, watch the DSTrace screen or file with the trace options turned on as noted in the first items.

Error When Using Check the Object Password

The Check Password Status task in iManager causes the driver to check object password action. If you have problems, review the following:

If the Check Object Password returns -603, the Identity Vault object does not contain an nspmDistributionPassword attribute. Check the driver filter for the correct settings for the nspmDistributionPassword attributes. Also, make sure that the password policy has
Synchronize Distribution Password when Setting Universal Password selected.

If the Check Object Password returns
Not Synchronized, verify that the driver configuration contains the appropriate Password Synchronization policies.

Compare the NMAS password policy in the Identity Vault with any password policies enforced by the connected system, to make sure they are compatible.

Check Object Password operates from the Distribution Password. If the Distribution Password is not being updated, Check Object Password might not report that passwords are synchronized.

Keep in mind that for the Identity Manager driver only, Check Password Status is checking the NDS Password instead of the Distribution Password.

In this scenario, Identity Manager updates the Distribution Password directly, and allows NMAS to determine how the other Identity Vault passwords are synchronized.

Any connected system can publish passwords to Identity Manager, though not all connected systems can provide the user's actual password. For example, Active Directory can publish a user's actual password to Identity Manager. Although PeopleSoft does not provide a password from the PeopleSoft system itself, it can provide an initial password created in a policy in the driver configuration, such as a password based on the user's employee ID or last name. Not all drivers can subscribe to password changes from Identity Manager. See Section 5.2, Connected System Support for Password Synchronization.

Universal Password Deployment

Password Policy Configuration

In iManager, select
Passwords >
Password Policies.

Make sure a password policy is assigned to the parts of the Identity Vault tree that you want to have this kind of password synchronization. You can assign it to the entire tree structure, a partition root container, a container, or a specific user. To simplify management, we recommend that you assign password policies as high in the tree as possible.

In the password policy, make sure the following are selected:

Enable Universal Password

S
ynchronize NDS Password when setting Universal Password

Synchronize Distribution Password when setting Universal Password

Because Identity Manager retrieves the Distribution Password to distribute passwords to connected systems, it's important that this option be selected to allow bidirectional password synchronization.

If you are using Advanced Password Rules, make sure that they don't conflict with the password policies on any connected systems that are subscribing to passwords.

Password Synchronization Settings

In iManager, select
Passwords >
Password Synchronization.

Search for drivers for the connected systems, then select a driver.

Create settings for the driver for the connected system.

Make sure that the following are selected:

Identity Manager accepts passwords (Publisher Channel)

Use Distribution Password for password synchronization

A message is displayed on the page if the driver manifest does not contain a “password-publish” capability. This is to inform users that passwords cannot be retrieved from the application and can only be published by creating a password in the driver configuration using a policy.

Application accepts passwords (Subscriber Channel)

These settings allow for bidirectional password synchronization if it is supported by the connected system.

You can adjust the settings to match your business policies for the authoritative source for passwords. For example, if a connected system should subscribe to passwords but not publish, select only
Application accepts passwords (Subscriber Channel).

Specify whether you want NMAS password policies to be enforced or ignored, using the options under
Use Distribution Password for password synchronization.

(Conditional) If you have specified that you want password policies to be enforced, also specify whether you want Identity Manager to reset the connected system password if it does not comply.

(Optional) Select the following if desired:

Notify the user of password synchronization failure via e-mail

Keep in mind that e-mail notifications require the Internet EMail Address attribute on the eDirectory user object to be populated.

E-mail notifications are noninvasive. They do not affect the processing of the XML document that triggered the email. If they fail, they are not retried unless the operation itself is retried. However, debug messages for e-mail notifications are written to the trace file.

Driver Configuration

Make sure that the required Identity Manager script password synchronization policies are included in the driver configurations for each driver that should participate in password synchronization.

Flowchart for Scenario 3

The following flowchart illustrates how NMAS handles the password it receives from Identity Manager. The password is synchronized to the Distribution Password in this scenario, and NMAS decides the following:

How to handle the password based on whether you have specified that incoming passwords should be validated against password policy rules (if Universal Password and Advanced Password Rules are enabled).

What the other settings are in the password policy for synchronizing Universal Password with the other passwords.

Figure 5-12 Password from Identity Manager is Synchronized to the Distribution Password

Trouble Logging in to eDirectory

Turn on the
+AUTH,
+DXML, and
+DVRS settings in DSTrace

Figure 5-13 DSTrace commands

Verify that the <
password> or <
modify-password> elements are being passed to Identity Manager. To verify, watch the DSTtrace screen or file with the trace options turned on as noted in the first item.

Verify that the password is valid according to the rules of the NMAS password policy.

Check the NMAS password policy configuration and assignment. Try assigning the policy directly to the user to make sure the correct policy is being used.

On the Password Synchronization page for the driver, make sure that
Identity Manager accepts passwords (Publisher Channel) is selected.

In the NMAS password policy, make sure that
Synchronize Distribution Password when setting Universal Password is selected.

In the NMAS password policy, make sure that
Synchronize NDS Password when setting Universal Password is selected, if this is desired.

If users are logging in through the Novell Client or ConsoleOne, check the version. Legacy Novell Clients and ConsoleOne might not be able to log in to the Identity Vault if the Universal Password is not synchronized with the NDS Password.

Some legacy utilities authenticate by using the NDS Password, and also cannot log in to the Identity Vault if the Universal Password is not synchronized with the NDS Password. If you don't want to use the NDS Password for most users, but you have administrator or help desk users who need to authenticate with legacy utilities, try using a different password policy for help desk users so you can specify different Universal Password synchronization options for them.

Trouble Logging in to Another Connected System that Subscribes to Passwords

This section is for troubleshooting situations where this connected system is publishing passwords to Identity Manager, but another connected system that is subscribing to passwords does not appear to be receiving the changes from this system. Another name for this relationship is a secondary connected system, meaning that it receives passwords from the first connected system through Identity Manager.

Turn on the
+DXML and
+DVRS settings in DSTrace to see Identity Manager rule processing and potential errors

Set the Identity Manager trace level for the driver to
3.

Make sure that the
Identity Manager accepts passwords (Publisher Channel) option is selected in the Password Synchronization page.

In the password policy, make sure that
Synchronize Distribution Password when setting Universal Password is not selected.

Identity Manager uses the Distribution Password to synchronize passwords to connected systems. Universal Password must be synchronized with the Distribution Password for this synchronization method.

Check the driver filter for the nspmDistributionPassword attribute.

Verify that the <
password> element for an Add or a <
modify-password> element has been converted to Add and Modify attribute operations for the nspmDistributionPassword. To verify, watch the DSTrace screen or file with the options turned on as noted in the first item.

E-mail notifications are non-invasive. They do not affect the processing of the XML document that triggered the e-mail. If they fail, they are not retried unless the operation itself is retried. Debug messages for e-mail notifications are written to the trace file.

If the driver manifest does not indicate that the connected system supports password-check capability, this operation is not available through iManager.

If the Check Object Password returns -603, the Identity Vault object does not contain an nspmDistributionPassword attribute. Check the driver filter, and the
Synchronize Universal to Distribution option within the password policy.

Compare the password policy in the Identity Vault with any password policies enforced by the connected system, to make sure they are compatible.

Check Object Password checks the Distribution Password. If the Distribution Password is not being updated,
Check Object Password might not report that passwords are synchronized

Keep in mind that for the Identity Vault,
Check Password Status checks the NDS Password instead of the Universal Password. This means that if the user's password policy does not specify to synchronize the NDS Password with the Universal Password, the passwords are always reported as being not synchronized. In fact, the Distribution Password and the password on the connected system might be in sync, but Check Password Status won't be accurate unless both the NDS Password and the Distribution Password are synchronized with the Universal Password.

Identity Manager also uses the Distribution Password to distribute passwords to connected systems that you have specified should accept passwords.

The key to this scenario is that in the NMAS password policy,
Synchronize Universal Password with Distribution Password is disabled. Because the Distribution Password is not synchronized with the Universal Password, Identity Manager synchronizes passwords among connected systems without affecting passwords in the Identity Vault.

Although multiple connected systems are shown as connecting to Identity Manager in this figure, keep in mind that you individually create the settings for each connected system driver.

Password Policy Configuration

No password policy is required for Identity Vault users for this method.

However, if you use a password policy, you must do the following:

Make sure the following is not selected:

Synchronize Distribution Password when setting Universal Password

This is the key to tunneling passwords without the Identity Vault password being affected. By not synchronizing the Universal Password with the Distribution Password, you keep the Distribution Password separate, for use only by Identity Manager for connected systems. Identity Manager acts as a conduit, distributing passwords to and from other connected systems, without affecting the Identity Vault password.

Trouble Logging in to Another Connected System that Subscribes to Passwords

This section is for troubleshooting situations where this connected system is publishing passwords to Identity Manager, but another connected system that is subscribing to passwords does not appear to be receiving the changes from this system. Another name for this relationship is a secondary connected system, meaning that it receives passwords from the first connected system through Identity Manager.

Turn on the
+DXML and +
DVRS settings in DSTrace to see Identity Manager rule processing and potential errors.

Set the Identity Manager trace level for the driver to
3.

Make sure that the
Identity Manager accepts passwords (Publisher Channel) option is selected on the Password Synchronization page.

In the password policy, make sure that
Synchronize Distribution Password when setting Universal Password is not selected.

Identity Manager uses the Distribution Password to synchronize passwords to connected systems. The Universal Password must be synchronized with the Distribution Password for this synchronization method.

Make sure the driver filter has the correct settings for the nspmDistributionPassword attribute.

Verify that the <
password> element for an Add and a <
modify-password> element have been converted to Add and Modify attribute operations for the nspmDistributionPassword. To verify, watch the DSTrace screen or file with the trace options turned on as noted in the first item.

E-mail notifications are non-invasive. They do not affect the processing of the XML document that triggered the e-mail. If they fail, they are not retried unless the operation itself is retried. Debug messages for e-mail notifications are written to the trace file.

Error When Using Check Password Status

The Check Password Status task in iManager causes the driver to be perform a Check Object Password action.

This operation is not available through iManager if the driver manifest does not indicate that the connected system supports password-check capability.

If the Check Object Password action returns -603, the Identity Vault object does not contain an nspmDistributionPassword attribute. Check the Identity Manager attribute filter, and the
Synchronize Universal to Distribution option within the password policy.

This scenario is a specialized use of password synchronization features. Using Identity Manager and NMAS, you can take a password from a connected system and synchronize it directly to the Identity Vault Simple Password. If the connected system provides only hashed passwords, you can synchronize them to the Simple Password without reversing the hash. Then, other applications can authenticate to the Identity Vault by using the same clear text or hashed password through LDAP or the Novell Client, with NMAS components configured to use the Simple Password as the login method.

If the password in the connected system is in clear text, it can be published as it is from the connected system into the Identity Vault Simple Password store.

If the connected system provides only hashed passwords (MD5, SHA, SHA1,or UNIX Crypt are supported), you must publish them to the Simple Password with an indication of the kind of hash, such as {MD5}.

For another application to authenticate with the same password, you need to customize the other application to take the user's password and authenticate to the Simple Password using LDAP.

NMAS compares the password value from the application with the value in the Simple Password. If the password stored in the Simple Password is a hash value, NMAS first uses the password value from the application to create the correct type of hash value, before comparing. If the password from the application and the Simple Password are the same, NMAS authenticates the user.

Setting Up Scenario 5

Password Policy Configuration

No password policy is required for users for this scenario. Universal Password cannot be used.

Password Synchronization Settings

For this scenario, you use Identity Manager Script to directly modify the SAS:Login Configuration attribute. This means that the Password Synchronization global configuration values (GCVs), which are set by using the Password Synchronization page in iManager, have no effect.

Driver Configuration

Make sure that the SAS:Login Configuration attribute in the filter has the setting of
Synchronize for both Publisher and Subscriber channels.

Configure the driver policies to publish the password from the connected system.

For hashed passwords, configure the driver policies to prepend the type of hash (if it is not already provided by the application):